MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d22517dafccc940c38f7fc6004d215d9fa9a7a1da8f0c7f2b552be3bcfb94767. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 18


Intelligence 18 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d22517dafccc940c38f7fc6004d215d9fa9a7a1da8f0c7f2b552be3bcfb94767
SHA3-384 hash: 39a503988cbc8cde4aafd367d0dd5749e436b1e80e5b4792c5370b0757d1d574e8bea87a371fb0f0835a0a9ede438d56
SHA1 hash: 80cfd908302df1357a8f53f36e99e58f21f62afd
MD5 hash: 2532c2706cd5a3331b8f76271316a0f0
humanhash: montana-floor-jig-don
File name:darkstream1.exe.bin
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:8'495'616 bytes
First seen:2025-03-16 11:47:16 UTC
Last seen:2025-03-16 12:44:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 196608:NxN/Il5wdeJpLA+TloYNssD7N3ElDWOnE/itky:oWkSaVJ3SDWO
TLSH T1F78612D892B3D5C2C29A3F3EA875CE6448714827FE44DFB1D87A32E2680179BB594C74
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 88e4d8f0b8d82080 (1 x BlankGrabber)
Reporter KatzenTech
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
371
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
darkstream1.exe
Verdict:
Malicious activity
Analysis date:
2025-03-15 22:09:26 UTC
Tags:
blankgrabber uac evasion autorun-startup stealer susp-powershell screenshot discord remote xworm pyinstaller growtopia discordgrabber generic umbralstealer ims-api upx
Link:
https://app.any.run/tasks/99e72cc8-f542-42bf-87b7-5f713b40ffa7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d6cb303962f1a6f471e386
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %temp% subdirectories
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
DNS request
Launching a process
Searching for synchronization primitives
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Launching the process to change network settings
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67d6ba7c0a7899f357982573/reports/59850cf0-ef40-4489-9850-b40b5f571352/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/d22517dafccc940c38f7fc6004d215d9fa9a7a1da8f0c7f2b552be3bcfb94767
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd112f78-fca3-4acb-9c5f-59c23a2b4998
Result
Threat name:
Python Stealer, Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1639869
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies existing user documents (likely ransomware behavior)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Generic Python Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639869 Sample: darkstream1.exe.bin.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 93 ip-api.com 2->93 95 discord.com 2->95 97 blank-0lyrq.in 2->97 129 Suricata IDS alerts for network traffic 2->129 131 Found malware configuration 2->131 133 Antivirus / Scanner detection for submitted sample 2->133 135 18 other signatures 2->135 12 darkstream1.exe.bin.exe 4 2->12         started        signatures3 process4 file5 77 C:\Users\user\AppData\Roaming\injection.exe, PE32 12->77 dropped 79 C:\Users\user\AppData\Roaming\Built.exe, PE32+ 12->79 dropped 81 C:\Users\user\...\darkstream1.exe.bin.exe.log, CSV 12->81 dropped 15 Built.exe 22 12->15         started        19 injection.exe 3 12->19         started        21 conhost.exe 12->21         started        23 tasklist.exe 12->23         started        process6 file7 83 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 15->83 dropped 85 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 15->85 dropped 87 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->87 dropped 91 16 other files (none is malicious) 15->91 dropped 103 Multi AV Scanner detection for dropped file 15->103 105 Modifies Windows Defender protection settings 15->105 107 Adds a directory exclusion to Windows Defender 15->107 111 2 other signatures 15->111 25 Built.exe 1 86 15->25         started        89 C:\Users\user\AppData\Roaming\dllhost.exe, PE32 19->89 dropped 109 Bypasses PowerShell execution policy 19->109 29 powershell.exe 19->29         started        31 powershell.exe 19->31         started        signatures8 process9 dnsIp10 99 ip-api.com 208.95.112.1, 49719, 49727, 80 TUT-ASUS United States 25->99 101 discord.com 162.159.137.232, 443, 49728 CLOUDFLARENETUS United States 25->101 137 Found many strings related to Crypto-Wallets (likely being stolen) 25->137 139 Tries to harvest and steal browser information (history, passwords, etc) 25->139 141 Modifies Windows Defender protection settings 25->141 145 5 other signatures 25->145 33 cmd.exe 1 25->33         started        36 cmd.exe 1 25->36         started        38 cmd.exe 25->38         started        44 27 other processes 25->44 143 Loading BitLocker PowerShell Module 29->143 40 conhost.exe 29->40         started        42 conhost.exe 31->42         started        signatures11 process12 signatures13 113 Suspicious powershell command line found 33->113 115 Uses cmd line tools excessively to alter registry or file data 33->115 117 Encrypted powershell cmdline option found 33->117 119 Uses netsh to modify the Windows network and firewall settings 33->119 46 powershell.exe 33->46         started        49 conhost.exe 33->49         started        121 Modifies Windows Defender protection settings 36->121 123 Removes signatures from Windows Defender 36->123 51 powershell.exe 36->51         started        62 2 other processes 36->62 53 powershell.exe 38->53         started        56 conhost.exe 38->56         started        125 Adds a directory exclusion to Windows Defender 44->125 127 Tries to harvest and steal WLAN passwords 44->127 58 getmac.exe 44->58         started        60 powershell.exe 44->60         started        64 49 other processes 44->64 process14 file15 147 Loading BitLocker PowerShell Module 51->147 73 C:\Users\user\AppData\...\rlozioai.cmdline, Unicode 53->73 dropped 149 Potential dropper URLs found in powershell memory 53->149 66 csc.exe 53->66         started        151 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 58->151 153 Writes or reads registry keys via WMI 58->153 75 C:\Users\user\AppData\Local\Temp\mbehx.zip, RAR 64->75 dropped signatures16 process17 file18 71 C:\Users\user\AppData\Local\...\rlozioai.dll, PE32 66->71 dropped 69 cvtres.exe 66->69         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d22517dafccc940c38f7fc6004d215d9fa9a7a1da8f0c7f2b552be3bcfb94767
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d22517dafccc940c38f7fc6004d215d9fa9a7a1da8f0c7f2b552be3bcfb94767/
Threat name:
Win32.Exploit.BlankGrabber
Create hunting rule
Status:
Malicious
First seen:
2025-03-15 22:09:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2isrpwx4zskayohx7rqajuqv3h5ju6q5vdymp4vvkk7dxt5zi5tq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
BlankGrabber
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan upx
Link:
https://tria.ge/reports/250316-nyjeratly3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Enumerates processes with tasklist
UPX packed file
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
127.0.0.1:12812
ireland-regardless.gl.at.ply.gg:12812
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/b5743036-cced-45b6-a1b3-b10a76f82c3b
Unpacked files
SH256 hash:
d22517dafccc940c38f7fc6004d215d9fa9a7a1da8f0c7f2b552be3bcfb94767
MD5 hash:
2532c2706cd5a3331b8f76271316a0f0
SHA1 hash:
80cfd908302df1357a8f53f36e99e58f21f62afd
Link:
https://www.unpac.me/results/960a9591-395f-4838-ab90-f6efd875579d/
SH256 hash:
707d0e076fc5883c6db71f0757220874537ea5a4cbce86bb3b2f88a7c6d65c0b
MD5 hash:
17c25fa645bf3754ab739150ba8b840a
SHA1 hash:
9788494028fe74907ee41f2ec123e630c4809c85
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/960a9591-395f-4838-ab90-f6efd875579d/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d22517dafccc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d22517dafccc940c38f7fc6004d215d9fa9a7a1da8f0c7f2b552be3bcfb94767

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments